If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hybrid View

Firefox, Others at Phishing Risk

Well, while I was collecting some information about the newest Phishing techniques. I found this article which really astonshed me... A group announced that they have detected new flaw in Firefox and others that leaves users open to a spoofing or phishing attack. And what is really wierd that IE is no affected...

A non-profit security think tank called the Shmoo Group has announced the discovery of a flaw in Firefox and other recent browsers, including Mozilla, Safari, Opera and Camino, that leaves users open to a spoofing or phishing attack. Microsoft Internet Explorer is not affected.

The Shmoo Group posted notice of the exploit on its site under the title, "0wn any domain, no defense exists."

"Want to own ANY domain? Want a trusted SSL cert for it? We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers," states the group's Web site.

Eric Johanson of the Shmoo Group has reported and demonstrated in a proof of concept a "homograph attack" that allows a malicious Web site to spoof the actual URL that is displayed in the address bar, status bar or even an SSL certificate.

The flaw is the result of an "unintended result" of how the International Domain Name (IDN) system is implemented in the browsers. One way the flaw can be exploited is for a malicious user to register a domain name with an international character that looks like a Latin alphabet character. The address appears to be the correct address, though it is using an international character.

The concept of "Homograph attacks" is not a new one. Johanson himself cites a December 2001 research paper that describes how such an attack could occur, though he notes at that time no browser had implemented Unicode/UTF8 domain name resolution. Almost every recent browser (Firefox, Mozilla, Safari, Opera) except for Microsoft's Internet Explorer currently implements IDN and Unicode/UTF8 domain name resolution.

According to the Shmoo Group, Mozilla developers have provided a workaround for the problem, though it's unclear how successful the workaround is at this point.

I do like Firefox, and it is just disappointing to hear that?
Any comments?

Sunday, February 6, 2005
Shmoo Group exploit: 0wn any domain, no defense exists
Pablos sez, "Shmoocon ended today. And just to prove The Shmoo Group wasn't sitting on their asses for the entire time while planning the con - A new exploit was demo'd by EricJ that left all jaws our on the floor. Want to own ANY domain? Want a trusted SSL cert for it? Check it out here. We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers. Official advisory here. Phishing attacks of doom coming soon." Link (Thanks, Pablos!)
Update: Chris Smith sez,

1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.

3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.

4) Go check out the shmoo demo again and notice it no longer works.

Update 2: J Brad Hicks sez, "Contrary to the update you just posted, setting network.enableIDN to false did not fix the problem for me in FireFox 1.0, aka Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0. Not even after quitting the application and re-launching it."
Update 3: Glenn sez, "I had the same problem in the same browser until I used Tools/Options/Privacy to clear the browser's cache. After clearing the cache, the network.enableIDN setting *does* appear to prohibit the exploit."

Update 4: Salim sez, "It seems that Firefox 1.0 is vulnerable despite applying the network.enableIDN fix. It works initially, but when the browser is restarted, the idn feature kicks into life again."

Update 5:Scott sez, "I've done a simple hack to Firefox to make it stick. My how-to is here."

\"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....SpafEverytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster